Web lists-archives.com

Re: Password Manager opinions and recommendations




Am 26. Mar, 2018 schwätzte Richard Hector so:

moin moin,

On 26/03/18 04:52, rhkramer@xxxxxxxxx wrote:
I started reading up on password managers in order to consider using one.

I use the keepass family - KeePassX on Debian, KeePassDroid on Android.
I believe Windows and Mac versions are available as well.

KeePassX and KeePassDroid are also what I use and regularly recommend. I
even have a talk essentially wrapped around using KeePassX to store all
the unique, random stuff I recommend ( username, password, subaddress for
email, security questions and answers, birthdate, etc. ).

I gave the talk at SCaLE a couple weeks ago and someone pointed out
KeePassXC, which I had not run into. It's KeePassX with more people
participating and has added some excellent features. For instance, you can
get a random string from anywhere in the UI, not just when generating a
password. It can also sync passwords with multiple files.

The person who brought it up during my presentation also mentioned that it
has ssh-agent integration. I have not yet looked at that.

https://keepassxc.org/

https://packages.debian.org/sid/keepassxc

   * encrypted storage on my own machines (no storage "in the cloud")

Yes

   * ability to transfer to other devices, including Android tablets and
phones--either all the passwords or just one for some special logon on a
machine I don't normally use.  Currently I do almost everything (that requires
a password) on one of my desktop computers.  I have a laptop that I use very
occasionally.  Occasionally I've had to go to a library (or similar) to use a
Windows machine.  I do have an Android tablet and phone, and, in general, I
don't use that for confidential type stuff (no banking, for example), but that
could change if either I feel very secure or in some sort of extreme
emergency.

I sync my database to my own NextCloud instance - in my case it's on a
VPS, which I guess is 'in the cloud', but I manage it myself. There are
NextCloud clients for all the above platforms as well.

   * (a repeat of part of the previous bullet) a means to easily take an
individual password to another machine for occasional use of another machine

I use multiple files as not every device needs access to all of my data.

Until now I've kept passwords in sync by hand. I'm looking forward to moving to KeePassXC and being able to sync via the password manager. Initial testing looks good.

Not that I know of. But it's on my phone, which goes where I go. That
does mean I sometimes have to view the password and type it in, which is
a pain for a 16-character password full of symbols ...

KeePassDroid puts the username and password into dropdowns from the alerts
menu making for easy copy and paste without needing to know what they are.

   * a means to recover all the passwords if the password manager becomes
defunct (and this also implies backup and restore capabilities)

It's free software, so you can keep copies of it. It can export to XML
(IIRC) too.

KeePassX is one of many tools that uses the KeePass2.x file format, so
multiple projects have to cease to exist for a long time before the files
can no longer be read.

I believe you can use the command line interface to export to XML, so you
might be able to pipe that into GPG for universal backups.

   * a means to automatically generate secure passwords

Yes. Well, I assume they're secure; I'm no cryptographer.

We can add character set requirements and most sites now allow 30+
characters, so they at least look random.

   * a means to automatically update passwords on the target websites (to
facilitate regular / frequent password changes)--this is probably a stretch--I
mean something that would work its way through the various screens and prompts
to change a password with a minimum of manual intervention by me

Difficult. That would have to be scripted for each website etc, wouldn't it?

Many of the KeePass* tools support auto-type which will send a sequence to
the browser. The sequence can use the default pattern or be customized.

I believe one of the commercial, proprietary tools offers to change all
your passwords for you and uses a JavaScript client to do so, so perhaps
there's already a model to replicate.

I don't use auto-type, so haven't investigated beyond seeing that it's
there. I have had multiple people report that it works well for them.

ciao,

der.hans
--
#  https://www.LuftHans.com   https://www.PhxLinux.org
#  I'm not anti-social, I'm pro-individual. - der.hans